[Python-Dev] PEP 476: Enabling certificate validation by default! (original) (raw)
Nick Coghlan ncoghlan at gmail.com
Mon Sep 1 17:35:05 CEST 2014
- Previous message: [Python-Dev] PEP 476: Enabling certificate validation by default!
- Next message: [Python-Dev] PEP 476: Enabling certificate validation by default!
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On 2 Sep 2014 00:59, "Antoine Pitrou" <solipsis at pitrou.net> wrote:
On Tue, 2 Sep 2014 00:53:11 +1000 Nick Coghlan <ncoghlan at gmail.com> wrote: > > > > To be frank I don't understand what you're arguing about. > > When I said "shadowing ssl can be tricky to arrange", Chris correctly > interpreted it as referring to the filesystem based privilege escalation > scenario that isolated mode handles, not to normal in-process > monkeypatching or module injection. There's no actual difference. You can have a sitecustomize.py that does the monkeypatching or the shadowing. There doesn't seem to be anything "tricky" about that.
Oh, now I get what you mean - yes, sitecustomize already poses the same kind of problem as the proposed sslcustomize (hence the existence of the related command line options).
I missed that you had switched to talking about using that attack vector, rather than trying to shadow stdlib modules directly through the filesystem (which is the only tricky thing I was referring to).
Cheers, Nick. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.python.org/pipermail/python-dev/attachments/20140902/0fa901b4/attachment.html>
- Previous message: [Python-Dev] PEP 476: Enabling certificate validation by default!
- Next message: [Python-Dev] PEP 476: Enabling certificate validation by default!
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]